wso2 ei调用具有签名的端点

时间:2019-03-15 13:43:00

标签: wso2 wso2ei

我开始在我的公司中使用wso2EI。 我们需要调用一个公开我们提供者的服务。该服务是一个SOAP Web服务,通​​过密钥库在正文中进行签名(它们向我发送pfx),其思想是使用wso2EI调用该服务以通过此应用程序内部使用。

因此,我创建了一个代理服务和Policy.xml。当我尝试在没有Policy.xml的情况下调用代理服务时,我提出了一个已编码的请求,它可以正常工作。但是,当我将Policy im设置为以下错误时:

  

[-1234] [] [PassThroughMessageProcessor-351] ERROR {org.apache.synapse.core.axis2.Axis2Sender} - Unexpected error during sending message out java.lang.NullPointerException at sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:58) at sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:163) at sun.security.provider.JavaKeyStore$JKS.engineGetCertificateChain(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineGetCertificateChain(KeyStoreDelegator.java:101) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetCertificateChain(JavaKeyStore.java:70) at java.security.KeyStore.getCertificateChain(KeyStore.java:1048) at org.apache.ws.security.components.crypto.CryptoBase.getCertificates(CryptoBase.java:468) at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:313) at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:351) at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:266) at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:762) at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457) at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97) at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147) at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185) at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167) at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:603) at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85) at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:547) at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:384) at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65) at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:123) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108) at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70) at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158) at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:224) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:415) at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

代理是:

  

<in><header> <sec:OriginPoint xmlns:sec="http://esb.xxx.com/sec/">cd</sec:OriginPoint> </header> <send buildmessage="true"> <endpoint> <address uri="https://xxx.xxx.xxx.xxx:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter"> <enableSec policy="gov:ws-policy/Policy.xml"/> </address> </endpoint> </send> </in> <out> <log level="full"/> <send/> </out>

和政策:

  

<wsp:Policy wsu:Id="signingpolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256Rsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefEmbeddedToken/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body/> </sp:SignedParts> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">xx/xx/xx/certificado.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">xxx</ramp:property> </ramp:crypto> </ramp:signatureCrypto> </ramp:RampartConfig>
</wsp:All> </wsp:ExactlyOne> </wsp:Policy>

更新

使用DEBUG选项设置org.apache.synapse.transport.http.wire之后,我开始查看日志中的响应,但是服务仍然失败。 错误是这样的:

  

[2019-03-19 16:29:29,620] [-1] [] [PassThroughMessageProcessor-2] ERROR {org.apache.axis2.transport.base.threads.NativeWorkerPool} - Uncaught exception java.lang.NullPointerException at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:265) at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) at org.apache.rampart.RampartEngine.process(RampartEngine.java:221) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167) at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:263) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

代理服务器仍然相同。

更新2 终于我做到了!问题出在代理服务和安全中介程序中。这是最终的代理服务。谢谢所有人!:

  

<inSequence> <header> <sec:OriginPoint xmlns:sec="http://esb.firstdata.com/sec/">cencosud</sec:OriginPoint> </header> <send> <endpoint> <address uri="https://172.24.4.215:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter"> <enableAddressing/> <enableSec outboundPolicy="gov:ws-policy/Policy.xml"/> </address> </endpoint> </send> </inSequence> </target> <description/> </proxy>

1 个答案:

答案 0 :(得分:0)

对我来说有两件事:基于该错误,看来您有一些密钥库或证书别名问题。可以尝试的几件事:

  • 一个常见的错误是导入不带别名的证书。 检查密钥库以查看名称是否正确。
  • 我没有看到提到的回调处理程序吗?你实现了吗?

更多信息here,包括examplepolicycallbackhandler project